search

stalwartlabs / mail-server

Secure & Modern All-in-One Mail Server (IMAP, JMAP, POP3, SMTP)
https://stalw.art
3.55k stars 135 forks source link

[enhancement]: Block IP addresses listed on iblocklist and similar #483

Open mdecimus opened 1 month ago

mdecimus commented 1 month ago

Which feature or improvement would you like to request?

Block IP addresses listed on iblocklist and similar

Is your feature request related to a problem?

I'm having a problem with...

Code of Conduct

williamdes commented 1 month ago

For example integrating with CrowdSec firewall bouncer https://blog.williamdes.eu/Infrastructure/tutorials/install-crowdsec-and-bouncer-on-pfsense/

The URL provides a list of new line terminated IPs. Thousands

nomadturk commented 1 month ago

For example integrating with CrowdSec firewall bouncer https://blog.williamdes.eu/Infrastructure/tutorials/install-crowdsec-and-bouncer-on-pfsense/

The URL provides a list of new line terminated IPs. Thousands

Though... Same IP can host both good actors and bad actors.

pfBlockerNG is a good example on pfSense though. It gives you the ability to block IP addresses based on dynamically changing IP lists as well as giving you the ability to block things on DNS level. So that even if you can't block the IP, you can block the domain to punish some of the emails.

I was blackholing a huge chunk of IP addresses on some of my servers, primarily known crypto/virus/tor/brute force scanner's etc.

Some blacklists give you IP addresses, some of them provide you with IP ranges, some are mixed. It would be nice if Stalwart can do parsing and updating such lists.

Like, some examples from my script, not sure if they all still work at the moment though.

curl -ksSfL "https://api.blocklist.de/getlast.php?time=36000"
curl -ksSfL "https://cinsscore.com/list/ci-badguys.txt"
curl -ksSfL "https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt"
curl -ksSfL "https://www.dan.me.uk/torlist/?exit"
curl -ksSfL "https://check.torproject.org/torbulkexitlist?ip=1.1.1.1"
curl -ksSfL "https://rules.emergingthreats.net/blockrules/compromised-ips.txt"
curl -ksSfL "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
curl -ksSfL "http://blocklist.greensnow.co/greensnow.txt"
curl -ksSfL "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
curl  -ksSfL "https://rules.emergingthreats.net/blockrules/emerging-tor.rules" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
curl  -ksSfL "https://rules.emergingthreats.net/blockrules/3coresec.rules" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'